Difference between revisions of "Be your own CA"

From BubbaWiki
Jump to navigation Jump to search
 
(One intermediate revision by one other user not shown)
Line 1: Line 1:
Tired of untrusted SSL&nbsp;messages? Then why not be your own Certificate Authority&nbsp;!?<br>  
Tired of untrusted SSL&nbsp;messages? Then why not be your own Certificate Authority&nbsp;!?<br>  


This how-to describes how to generate your own CA certificate and generate and sign your own certificates.<br>  
This how-to describes how to generate your own CA certificate and generate and sign your own certificates.<br>  


== Generate a CA Certificate and Key  ==
== Generate a CA Certificate and Key  ==


Become the root user<br>  
Become the root user<br>  
<pre>su -
<pre>su -
mkdir -m 0755 CA CA/private CA/certs CA/newcerts CA/crl
mkdir -m 0755 CA CA/private CA/certs CA/newcerts CA/crl
cd CA
cd CA
touch index.txt
echo 1000 &gt; serial
cp /etc/ssl/openssl.cnf .
cp /etc/ssl/openssl.cnf .
chmod 600 index.txt serial openssl.cnf </pre>  
chmod 600 index.txt serial openssl.cnf </pre>  
Modify the following parameters in the just copied file openssl.cnf<br>  
Modify the following parameters in the just copied file openssl.cnf<br>  
<pre>default_md = sha256
<pre>default_md = sha256
default_bits = 2048
default_bits = 2048
Line 17: Line 24:
certificate = $dir/certs/myca.crt # The CA certificate
certificate = $dir/certs/myca.crt # The CA certificate
private_key = $dir/private/myca.key # The private key</pre>  
private_key = $dir/private/myca.key # The private key</pre>  
Generate your CA certificate<br>  
Generate your CA certificate<br>  
<pre>openssl req -config openssl.cnf -new -x509 -extensions v3_ca -keyout private/myca.key -out certs/myca.crt -days 7300</pre>  
<pre>openssl req -config openssl.cnf -new -x509 -extensions v3_ca -keyout private/myca.key -out certs/myca.crt -days 7300</pre>  
The certificate will be valid for about 20 years.
The certificate will be valid for about 20 years.


Keep your password and key safe!<br>  
Keep your password and key safe!<br>  
<pre>chmod 400 private/myca.key </pre>
<pre>chmod 400 private/myca.key </pre>
== Generate a Certificate Request  ==
== Generate a Certificate Request  ==


Generate your B3 server certificate. <br>  
Generate your B3 server certificate. <br>  


'''Note:'''<br>
'''Note:'''<br>


Fill in your B3 server name when asked the question: Common Name (eg, YOUR name) []:<br>  
Fill in your B3 server name when asked the question: Common Name (eg, YOUR name) []:<br>  


Just hit enter when asked the question: A challenge password []:<br>
Just hit enter when asked the question: A challenge password []:<br>


otherwise you would be forced to enter the password everytime you start or restart the Apache webserver
otherwise you would be forced to enter the password everytime you start or restart the Apache webserver
<pre>openssl req -config openssl.cnf -new -nodes -keyout private/server.key -out server.csr -days 3650</pre>  
<pre>openssl req -config openssl.cnf -new -nodes -keyout private/server.key -out server.csr -days 3650</pre>  
The certificate will be valid for about 10 years.<br>
The certificate will be valid for about 10 years.<br>


Keep the key safe<br>  
Keep the key safe<br>  
<pre>chmod 400 private/server.key</pre>
<pre>chmod 400 private/server.key</pre>
== Sign the Certificate Request  ==
== Sign the Certificate Request  ==
<pre>openssl ca -config openssl.cnf -policy policy_anything -out certs/server.crt -infiles server.csr
<pre>openssl ca -config openssl.cnf -policy policy_anything -out certs/server.crt -infiles server.csr
rm server.csr</pre>  
rm server.csr</pre>  
== Verify the certificate  ==
== Verify the certificate  ==
<pre>openssl x509 -subject -issuer -enddate -noout -in certs/server.crt
<pre>openssl x509 -subject -issuer -enddate -noout -in certs/server.crt
openssl verify -purpose sslserver -CAfile certs/myca.crt certs/server.crt</pre>  
openssl verify -purpose sslserver -CAfile certs/myca.crt certs/server.crt</pre>  
== Bounce Apache  ==
== Bounce Apache  ==


Replace the old certifcates with your new certificates<br>  
Replace the old certifcates with your new certificates<br>  
<pre>cp /etc/apache2/cacert.pem /etc/apache2/cacert.pem.orig
<pre>cp /etc/apache2/cacert.pem /etc/apache2/cacert.pem.orig
cp /etc/apache2/privkey.pem /etc/apache2/privkey.pem.orig
cp /etc/apache2/privkey.pem /etc/apache2/privkey.pem.orig
Line 55: Line 76:
cp /root/CA/certs/server.crt /etc/apache2/cacert.pem
cp /root/CA/certs/server.crt /etc/apache2/cacert.pem
cp /root/CA/private/server.key /etc/apache2/privkey.pem</pre>  
cp /root/CA/private/server.key /etc/apache2/privkey.pem</pre>  
Restart the Apache webserver<br>  
Restart the Apache webserver<br>  
<pre>/etc/init.d/apache2 restart</pre>  
<pre>/etc/init.d/apache2 restart</pre>  
== Import the CA certificate  ==
== Import the CA certificate  ==


Import the CA certificate, this is file /root/CA/certs/myca.crt, into the browser of your choice.  
Import the CA certificate, this is file /root/CA/certs/myca.crt, into the browser of your choice.  
You could also make it publicly available for http access by coping the file to (for example) /home/web.


== References  ==
== References  ==


*http://openssl.org/  
*http://openssl.org/  
*http://www.g-loaded.eu/2005/11/10/be-your-own-ca/  
*http://www.g-loaded.eu/2005/11/10/be-your-own-ca/  
*http://www.eclectica.ca/howto/ssl-cert-howto.php<br>  
*http://www.eclectica.ca/howto/ssl-cert-howto.php<br>  
*http://www.top20toolbar.com/misc/codesigncert.htm<br>
*http://www.top20toolbar.com/misc/codesigncert.htm<br>

Latest revision as of 20:45, 7 September 2011

Tired of untrusted SSL messages? Then why not be your own Certificate Authority !?


This how-to describes how to generate your own CA certificate and generate and sign your own certificates.


Generate a CA Certificate and Key

Become the root user

su -
mkdir -m 0755 CA CA/private CA/certs CA/newcerts CA/crl
cd CA
touch index.txt
echo 1000 > serial
cp /etc/ssl/openssl.cnf .
chmod 600 index.txt serial openssl.cnf 

Modify the following parameters in the just copied file openssl.cnf

default_md = sha256
default_bits = 2048
dir = . # Where everything is kept
certificate = $dir/certs/myca.crt # The CA certificate
private_key = $dir/private/myca.key # The private key

Generate your CA certificate

openssl req -config openssl.cnf -new -x509 -extensions v3_ca -keyout private/myca.key -out certs/myca.crt -days 7300

The certificate will be valid for about 20 years.


Keep your password and key safe!

chmod 400 private/myca.key 

Generate a Certificate Request

Generate your B3 server certificate.


Note:


Fill in your B3 server name when asked the question: Common Name (eg, YOUR name) []:


Just hit enter when asked the question: A challenge password []:


otherwise you would be forced to enter the password everytime you start or restart the Apache webserver

openssl req -config openssl.cnf -new -nodes -keyout private/server.key -out server.csr -days 3650

The certificate will be valid for about 10 years.


Keep the key safe

chmod 400 private/server.key

Sign the Certificate Request

openssl ca -config openssl.cnf -policy policy_anything -out certs/server.crt -infiles server.csr
rm server.csr

Verify the certificate

openssl x509 -subject -issuer -enddate -noout -in certs/server.crt
openssl verify -purpose sslserver -CAfile certs/myca.crt certs/server.crt

Bounce Apache

Replace the old certifcates with your new certificates

cp /etc/apache2/cacert.pem /etc/apache2/cacert.pem.orig
cp /etc/apache2/privkey.pem /etc/apache2/privkey.pem.orig

cp /root/CA/certs/server.crt /etc/apache2/cacert.pem
cp /root/CA/private/server.key /etc/apache2/privkey.pem

Restart the Apache webserver

/etc/init.d/apache2 restart

Import the CA certificate

Import the CA certificate, this is file /root/CA/certs/myca.crt, into the browser of your choice.


You could also make it publicly available for http access by coping the file to (for example) /home/web.


References